google / gae-secure-scaffold-python3 Goto Github PK

If you deploy a basic scaffold App Engine app, on startup it always attempts to connect to Cloud Datastore using the default service account credentials. This happens even if nothing in the app uses Cloud Datastore.

On a new App Engine project, this causes a 500 error. In the application log, you can see a message google.api_core.exceptions.PermissionDenied: 403 Missing or insufficient permissions that is emitted as part of the NDB datastore library.

A quick fix is to grant the default App Engine service account the required permissions.

The default App Engine service account normally gets the editor role, but this can be changed per-organization. If the GCP organization changes the default role, or removes all permissions for the service account by default, then your scaffold app can fail.

https://cloud.google.com/appengine/docs/standard/configure-service-accounts#default_service_account

The scaffold connects to the datastore in order to set/get a secret that is used by Flask for signing cookies and stuff. If the app doesn't need to do that, then we should make it so the app doesn't require access to the datastore , and avoid this error.

https://flask.palletsprojects.com/en/3.0.x/config/#SECRET_KEY

Hi!

It looks like it's not possible to customize the value of the X-Frame-Options header. The get_talisman_config() function seems to only pick up a selection of settings, which does not include the frame-options one.

I need this because I'm building component that will be embedded in a website on another domain, in an iframe.

Am I missing something ?

Following a suggestion from @miuraken , we should have a CI pipeline to run tests and enforce a code style.

Use Cloud Build: https://cloud.google.com/solutions/continuous-integration

When trying to use users.get_current_user(), this line gives an assertion error which prevents the app from running locally:
https://github.com/google/gae-secure-scaffold-python3/blob/master/src/securescaffold/contrib/appengine/users.py#L69

As a current solution we wrap it in a try/catch, using a default email on an exception.

Is possible to have a mock user for a local environment, or similar?

Find out what the pain points are for projects which want to use reproducible builds with pip, and fix them.

https://pip.pypa.io/en/stable/topics/secure-installs/

Issue

Currently, any query string set on the redirect path is not preserved when redirected.

Behaviour

Current: /?foo=bar -> /intl/en/
Expected: /?foo=bar -> /intl/en/?foo=bar

Setup

# Follows github.com/google/gae-secure-scaffold-python3/blob/master/examples/language-redirect/main.py

app = securescaffold.create_app(__name__)
app.add_url_rule("/", "lang_redirect", securescaffold.views.lang_redirect)

app.config["LOCALES"] = ["en"]
app.config["LOCALES_REDIRECT_TO"] = "/intl/{locale}/"

Please document how to use this secure scaffold with single page applications, e.g. Angular and React SPAs. These would typically serve the static HTML directly from AppEngine (not through Python templating), which makes it impossible to inject the CSRF token. To make things more complicated, the CSRF token can also not be read from client-side JavaScript, because the secure scaffold defaults set the cookie to HttpOnly.

As far as I can tell, setting the cookie to HttpOnly does not add to the protection in a major way - e.g. see https://docs.djangoproject.com/en/3.0/ref/settings/#csrf-cookie-httponly.

The examples use the Python 3.7 runtime for App Engine. Update to the current runtime version.